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Motivation  and  problem  statement 


•  Main  problem  of  access  control: 

-  Should  a  request  for  service  be  granted? 

•  In  a  distributed  system  with  multiple  authorities: 

-  Which  policies  need  to  be  consulted? 

-  Which  policies  are  violated  and  who  is  to  blame? 


I  want  to  print  thus... 
My  manager  says  I  can 


I  am  not  required  to 
listen  to  your  manager 
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Delegation  and  obligation 


•  “saying”  is  a  common  operator  in  access  control 
logics 

-  Captures  both  policy  and  credential  introduction 

-  Policies  are  typically  obligations  and  credentials 
are  typically  permissions 

-  Obligations  and  permissions  are  often  implicit 
and  must  be  deduced  by  the  checker 

•  Explicit  permissions  and  obligations 

-  Deontic  operators  PA</>,  0A(/> 
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LPS:logic  and  policies 


•  LPS  is  a  decidable  logic  with  complete  semantics 

•  Key  formal  device:  axiom  of  representation 

(says  i{A){pBsays  KB)(p)Asays  /(*>?>  )=>  scl>,s 

•  A  policy  is  a  collection  of  sequents 

{id  )y?  i— >  y/ 

-True  preconditions  must  have  true 
postconditions 

-  Postconditions  make  more  preconditions  true 
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Contributions  to  science 


•  Uniform  treatment  of  access  control  and 
conformance 

-  Access  control  is  verification  of  permissions 

-  Conformance  is  satisfaction  of  obligations 

-  Both  are  formalized  as  provability  of  statements 
in  the  logic 

•  Clarified  semantics  of  deontic  modalities 

-  Nested  permissions  and  obligations 

-  Positive  and  negative  permissions 
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Nested  deontic  modalities 


•  Parents  (A)  should  not  let  their  children  (B)  play 
by  the  road 

-  Multiple  possible  interpretations: 

•  A  should  not  give  B  permission  to  play  (positive  permission) 

•  A  should  tell  B  not  to  play  (negative  permission) 

•  A  should  physically  prevent  B  from  playing 

-  Each  interpretation  make  sense  in  some  context 

•  Alternation  with  saying  solves  the  problem 

-  “require  to  allow”  becomes  “require  to  make  a  rule...” 

•  0A(-.says  l(A)PB  play  road  (5)) 

0A{says  l(A)0 B—iPlay  mad  ( B )) 
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System  architecture 


•  Principals  introduce  laws 

•  Logic  programming  engine  computes  utterances, 
ground  saying  terms 


•  Request  is  granted  if  utterances  contain  a 
permission  for  it 
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Future  work:  quantitative  evaluation 


•  LPS  can  be  used  as  an  alternative  to  Keynote  in 
the  QuanTM  architecture 

•  A  tighter  integration  with  the  reputation  manager 
will  be  more  efficient 

•  Quantitative  semantics  for  LPS  will  combine  TDG 
construction  and  evaluation 

-  Supported  by  the  logic  programming  framework 
of  LPS 

-  Similar  to  probabilistic  Datalog  semantics 
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